Data Transfer Agreement

As Chief Investigator, you are required to agree to these terms in order to create and manage Clinical Trials on the CardioTrials Platform. Please read these terms carefully. Once you check the box to indicate your agreement to these terms, they will form a binding legal agreement between you and CardioTrials.

1. This Agreement

1.1 This agreement governs the transfer of personal data by the Data Discloser to the Data Receiver, in relation to the use of the CardioTrials Platform.
1.2 The Data Discloser is CardioTrials, a trading name of Pumping Marvellous Ventures Ltd, a company registered in England and Wales (company number 12790994), whose registered office is at Suite 111, Business First Millennium City Park, Millennium City Road, Ribbleton, Preston, United Kingdom, PR2 5BL.
1.3 The Data Receiver is the Chief Investigator that creates an account and registers Clinical Trials on the CardioTrials Platform.
1.4 This agreement shall commence on the date that the Data Receiver indicates its agreement to it on the CardioTrials Platform, and will continue until such time as the Data Receiver’s account on the CardioTrials Platform is closed, terminated or permanently deactivated.

1. Interpretation

1.1 Definitions:
Agreed Purposes
has the meaning given to it in clause 3 of this agreement.
CardioTrials Platform
the web platform operated by the Data Discloser, located at cardiotrials.org.
Clinical Trial
a clinical trial which is registered and listed on the CardioTrials Platform by the Data Receiver.
Data Protection Legislation
all applicable data protection and privacy legislation in force from time to time in the UK, including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data; and the guidance and codes of practice issued by the relevant data protection or Supervisory Authority and applicable to a party.
Patient
an individual data subject who registers an account (as a patient) on the CardioTrials Platform.
Personal Data Breach
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.
Shared Personal Data
the personal data and special categories of personal data transferred by the Data Discloser to the Data Receiver pursuant to this agreement (as described in clause 5).
Supervisory Authority
the relevant supervisory authority in the territories where the parties to this agreement are established.
Term
the duration of the term of this agreement, in accordance with clause 1.4 above.
Trialist Partner
a person or organisation (other than the Data Receiver) involved in the conducting of a Clinical Trial:
(i) which the Data Receiver registers on the CardioTrials Platform in respect of that Clinical Trial (including Project Managers, Principal Investigators and Researchers); and/or
(ii) to which the Data Receiver discloses, grants access or otherwise makes available the Shared Personal Data,
in each case, whether or not such person or organisation has a registered account on the CardioTrials Platform.
1.2 Terms defined in the Data Protection Legislation and used in this agreement, including controller, processor, data subject, personal data, processing and appropriate technical and organisational measures, shall, unless the context otherwise requires, have the respective meanings given to them in the Data Protection Legislation.
1.3 Unless the context otherwise, requires, words in the singular shall include the plural and in the plural shall include the singular.
1.4 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.5 A reference to a statute or statutory provision is a reference to that statute or statutory provision as amended, updated or re-enacted from time to time, and shall include all subordinate legislation made from time to time under that statute or statutory provision.
1.6 Any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.
1.7 A reference to writing or written includes email.
1.8 Any obligation on the Data Receiver not to do something includes an obligation not to allow that thing to be done (including by any Trialist Partner).

2. Purpose

2.1 This agreement sets out the framework for the transfer of Shared Personal Data by the Data Discloser to the Data Receiver. It defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other.
2.2 The parties consider this data transfer initiative necessary in order for the Data Receiver to use the facilities provided on the CardioTrials Platform to conduct and manage certain aspects of clinical trials. The aim of the data sharing initiative is to bring together organisations conducting clinical trials and patients who are willing to be considered for participation in those trials. It will serve to benefit society by encouraging and facilitating clinical trials to be conducted, particularly in cases where funding is limited, with a view to improving the visibility of clinical trials, healthcare, knowledge, treatments and health services.
2.3 The Data Receiver agrees to only process Shared Personal Data for the following purposes:
2.3.1 to identify suitable and willing Patients who wish to take part in Clinical Trials;
2.3.2 to correspond with those Patients in all matters relating to the Clinical Trials;
2.3.3 to enable the sharing of Shared Personal Data between the Data Receiver and Trialist Partners, to the extent necessary in order to conduct the Clinical Trials; and
2.3.4 to conduct the Clinical Trials in accordance with all generally accepted industry and ethical practices.
The Data Receiver shall not process Shared Personal Data in a way that is incompatible with the purposes described in this clause (Agreed Purposes).

3. Both parties are independent controllers

3.1 The Data Discloser is the controller of all personal data inputted by any user into the CardioTrials Platform.
3.2 Where the Data Discloser transfers Shared Personal Data to the Data Receiver, the Data Receiver will become an independent controller of the Shared Personal Data.
3.3 For the avoidance of doubt, the Data Discloser and the Data Receiver do not act as joint controllers and neither party acts as a processor on the other’s behalf.

4. Shared Personal Data

4.1 The Data Discloser will only transfer Shared Personal Data concerning a Patient to the Data Receiver where that Patient has given their explicit consent to the transfer (by means of the Patient’s actions on the CardioTrials Platform).
4.2 In this agreement, Shared Personal Data means any or all of the following types of personal data relating to Patients:
4.2.1 General Personal Data
  • Full name, title and date of birth
  • Contact details (including telephone, email, postal address)
  • Preferences indicated by the Patient (including preferences as to the types of clinical trials the Patient is interested in, and whether the Patient wishes to be considered for other Clinical Trials conducted by the Data Receiver)
4.2.2 Special Categories of Personal Data
  • Data concerning health, including:
    • the Patients’ medical numbers;
    • details of the Patients’ medical conditions, diagnoses and symptoms;
    • information about healthcare services used by the Patients, including the hospital(s) of care and details and dates of hospital admissions;
    • results of medical tests (including, for example, LVEF and NT-proBNP readings);
    • details of medicines, treatments, medical devices and other medical or healthcare related products used by the Patients, including full details (and/or images) of prescriptions; and
    • information about any other clinical trials that the Patients are involved in.
4.3 The Data Discloser shall not transfer to the Data Receiver, and the Data Receiver shall not request (from the Data Discloser or the relevant Patient), personal data which is irrelevant or excessive with regard to the Agreed Purposes.
4.4 Where the Data Receiver registers any Trialist Partner on the CardioTrials Platform in respect of a particular Clinical Trial, who may receive Shared Personal Data directly from the Data Discloser using the facilities on the CardioTrials Platform:
4.4.1 that Trialist Partner shall be deemed to be acting on the Data Receiver’s behalf in receiving any Shared Personal Data;
4.4.2 for the purposes of this agreement, the Shared Personal Data shall be deemed to have been transferred by the Data Discloser to the Data Receiver; and
4.4.3 the Data Receiver shall be fully responsible and liable for its transfer of the Shared Personal Data to that Trialist Partner, in accordance with this agreement.

5. Compliance with Data Protection Laws

5.1 Each party must comply with the Data Protection Legislation at all times during the Term of this agreement.
5.2 Each party has such valid registrations and/or paid such fees as are required by its national Supervisory Authority which, by the time that the data sharing is expected to commence, covers the intended data sharing pursuant to this agreement, unless an exemption applies.
5.3 The Data Discloser is registered with the UK Information Commissioner’s Office (registration number ZA787904).

6. Lawful, Fair and Transparent Processing

6.1 The Data Receiver shall ensure that it processes the Shared Personal Data fairly and lawfully, and in accordance with clause 7.2, during the Term of this agreement.
6.2 The Data Receiver shall ensure that it has legitimate grounds under the Data Protection Legislation for the processing of Shared Personal Data (including a legal basis under Article 6 of the GDPR, and appropriate conditions for the processing of special categories of personal data under Article 9 of the GDPR).
6.3 Where the Data Receiver relies on the consent of Patients for the processing of Shared Personal Data (in particular, for the processing of special categories of personal data), the Data Receiver shall ensure that it obtains valid, explicit consent from the Patient and that it maintains sufficient records of such consents.
6.4 The Data Receiver undertakes to inform the Patients, in accordance with the Data Protection Legislation, of the purposes for which it will process their personal data, the legal basis for such purposes and such other information as is required by Article 14 of the GDPR. Such information must include, where Shared Personal Data will be transferred to any third party (including the Trialist Partners), that fact and sufficient information about such transfer and the purpose of such transfer to enable the Patients to understand the purpose and risks of such transfer).

7. Data Quality

7.1 The Data Discloser shall take reasonable and appropriate steps to ensure that Shared Personal Data transferred to the Data Receiver are accurate and up-to-date at the time of transfer.
7.2 After receiving Shared Personal Data from the Data Discloser, it is the Data Receiver’s responsibility to ensure that the Shared Personal Data remain accurate and up-to-date, and to take all reasonable steps to erase or rectify Shared Personal Data which becomes inaccurate or out-of-date with regard to the Agreed Purposes.

8. Data Subjects’ Rights

8.1 Each party shall be responsible for complying with its own obligations under the Data Protection Legislation in respect of subject access requests and other requests by Patients to exercise their rights under the Data Protection Legislation.
8.2 Notwithstanding clause 9.1 above, the parties each agree to provide such assistance as is reasonably required to enable the other party to comply with requests from Patients to exercise their rights under the Data Protection Legislation within the time limits imposed by the Data Protection Legislation.

9. Data Retention and Deletion

9.1 The Data Receiver shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes.
9.2 Notwithstanding clause 10.1, the parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and/or industry.
9.3 Once processing of the Shared Personal Data by the Data Receiver is no longer necessary for the Agreed Purposes, the Data Receiver shall ensure that all copies of the Shared Personal Data that it holds or has in its possession or control are securely deleted or destroyed.

10. Transfers

10.1 For the purposes of this clause, transfers of personal data shall mean any sharing of personal data by the Data Receiver with a third party, and shall include, but is not limited to, the following:
10.1.1 disclosing (or otherwise granting access to or making available) the Shared Personal Data to any Trialist Partners;
10.1.2 subcontracting the processing of Shared Personal Data to a third party processor;
10.1.3 granting a third party controller access to the Shared Personal Data.
10.2 If the Data Receiver appoints a third party processor to process the Shared Personal Data it shall comply with Article 28 and Article 30 of the GDPR and shall remain fully responsible, and liable to the Data Discloser, for the acts and/or omissions of the processor.
10.3 The Data Receiver shall not disclose or transfer Shared Personal Data outside the EEA unless it complies with all applicable provisions on the Data Protection Legislation in respect of such transfers (including Chapter V of the GDPR). In particular, the Data Receiver shall not disclose or transfer Shared Personal Data outside the EEA unless:
10.3.1 the transfer is governed by an adequacy decision adopted by the European Commission pursuant to Article 45 of the GDPR (or by adequacy regulations issued by the UK Secretary of State pursuant to section 17A of the Data Protection Act 2018, if and to the extent that such section is in force as at the time of transfer);
10.3.2 the Data Receiver has provided appropriate safeguards for the protection of personal data subject to the transfer, and ensures that enforceable data subject rights and effective legal remedies for data subjects are available, in each case in accordance with Article 46 of the GDPR; and/or
10.3.3 the Data Receiver can otherwise demonstrate that the transfer meets all applicable requirements of the Data Protection Legislation, including in relation to the specific derogations set out in Article 49 of the GDPR or the use of binding corporate rules in accordance with Article 46 of the GDPR.
10.4 Without prejudice to the generality of any other provision of this agreement, the Data Receiver shall be solely responsible for ensuring its compliance with clause 11.3 and shall provide comprehensive information to the Patients (or other data subjects) concerned about the nature and risks of such transfer.

11. Security and Training

11.1 The Data Discloser shall only provide Shared Personal Data to the Data Receiver by using the facilities available on the CardioTrials Platform.
11.2 Both parties undertake to have in place throughout the Term appropriate technical and organisational security measures to:
11.2.1 prevent unauthorised or unlawful processing of the Shared Personal Data, and the accidental loss or destruction of, or damage to, the Shared Personal Data; and
11.2.2 ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Shared Personal Data to be protected.
11.3 Each party shall keep its security measures (as referred to in clause 12.2) under review and shall carry out such updates as it considers appropriate throughout the Term. Each party shall provide to the other such information as the other reasonably requests concerning the other party’s security measures.
11.4 The Data Receiver shall ensure that its staff members have entered into confidentiality agreements or are subject to appropriate legal or professional confidentiality obligations relating to the processing of Shared Personal Data, and are appropriately trained to handle and process the Shared Personal Data in accordance with:
11.4.1 the Data Receiver’s technical and organisational security measures as referred to in clause 12.2; and
11.4.2 the Data Protection Legislation.
11.5 The level, content and regularity of training referred to in clause 12.4 shall be proportionate to the staff members’ role, responsibility and frequency with respect to their handling and processing of the Shared Personal Data.

12. Personal Data Breaches and Reporting Procedures

12.1 Each party shall comply with its obligation to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) Patients under Article 33 of the GDPR and shall each inform the other party of any actual or suspected Personal Data Breach that they become aware of, irrespective of whether there is a requirement to notify any Supervisory Authority or Patient(s).
12.2 The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.

13. Resolution of Disputes With Data Subjects or the Supervisory Authority

13.1 In the event of a dispute or claim brought by a Patient or the Supervisory Authority concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
13.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a Patient or by the Supervisory Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
13.3 Each party shall abide by a decision of a competent court of the Data Discloser’s country of establishment or of the Supervisory Authority.

14. Warranties

14.1 Each party warrants and undertakes that it will:
14.1.1
process the Shared Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its personal data processing operations (including the Data Protection Legislation);
14.1.2
make a copy of this agreement available on request to the Patients to whom the Shared Personal Data relates;
14.1.3
respond within a reasonable time and as far as reasonably possible to enquiries from the relevant Supervisory Authority in relation to the Shared Personal Data;
14.1.4
respond to subject access requests and other requests to exercise data subjects’ rights in accordance with the Data Protection Legislation;
14.1.5
where applicable, maintain registration and/or pay the appropriate fees with all relevant Supervisory Authorities to process the Shared Personal Data for the Agreed Purposes; and
14.1.6
take all appropriate steps to ensure compliance with the security measures set out in clause 12 above.
14.2 The Data Discloser warrants and undertakes that it is entitled (and, where applicable, has the necessary consents) to provide the Shared Personal Data to the Data Receiver.
14.3 The Data Receiver warrants and undertakes that it will not disclose or transfer Shared Personal Data outside the EEA.
14.4 Except as expressly stated in this agreement, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the extent permitted by law.

15. Liability and Indemnity

15.1 As between the Data Discloser and the Data Receiver, the Data Receiver shall remain fully responsible and liable to the Data Discloser for the actions or omissions of any third party to which the Data Receiver transfers (or otherwise discloses, grants access or makes available) the Shared Personal Data, including Trialist Partners, as if they were the Data Receiver’s own actions or omissions.
15.2 The Data Receiver shall indemnify the Data Discloser (to the fullest extent permitted by law) against any claim, loss, damage, expense or fine incurred by the Data Discloser arising:
15.2.1
as a result of, or in connection with, any breach by the Data Receiver of any provision of this agreement; and
15.2.2
under or in connection with the Data Protection Legislation, and caused by any action or omission of the Data Receiver (or its directors, officers, employees, permitted agents, licensees and contractors) or the Trialist Partners.

16. Limitation of Liability

16.1 Neither party excludes or limits liability to the other party for:
16.1.1
fraud or fraudulent misrepresentation;
16.1.2
death or personal injury caused by negligence;
16.1.3
a breach of any obligations implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982; or
16.1.4
any matter for which it would be unlawful for the parties to exclude liability.
16.2 The Data Discloser’s total liability to the Data Receiver (in contract, tort (including negligence) misrepresentation, restitution or otherwise) under or in connection with this agreement shall be limited to the amount of fees paid or payable (if any) for registering the Clinical Trial to which the claim relates on the CardioTrials Platform (whether such fees are paid or payable by or on behalf of the Data Receiver, or by another party).

17. Third Party Rights

17.1 A person who is not a party to this agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement. This does not affect any right or remedy of a third party which exists, or is available, apart from that Act.
17.2 The rights of the parties to terminate, rescind or agree any variation, waiver or settlement under this agreement are not subject to the consent of any other person.

18. Variation

18.1 The Data Discloser may update or vary the provisions of this agreement unilaterally:
18.1.1
with immediate effect, by giving the Data Receiver notice in writing, where such update or variation is reasonably required in order to address any change in the Data Protection Legislation or to reflect any guidance and/or codes of practice issued by the relevant data protection or Supervisory Authorities; and
18.1.2
in any other circumstances, by giving not less than 30 (thirty) days’ written notice to the Data Receiver.
18.2 Subject to clause 19.1, no variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

19. Notices

19.1 Any notice or other communication given or required to be given to a party under or in connection with this agreement shall be in writing and shall be:
19.1.1
delivered by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case);
19.1.2
sent by email:
19.1.2.1
(if to the Data Discloser) to contact@cardiotrials.org; and
19.1.2.2
(if to the Data Receiver) to such email address as the Data Receiver provides via the CardioTrials Platform.

20. General

20.1 Waiver. No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
20.2 Severance. If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.
20.3 No Partnership or Agency. Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party. Each party confirms it is acting on its own behalf and not for the benefit of any other person.
20.4 Rights and Remedies. The rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
20.5 Governing Law. This agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
20.6 Jurisdiction. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this agreement or its subject matter or formation.

Developed with assistance from the University of Glasgow - Robertson Centre for Biostatistics.

Supported by Vifor Pharma

© 2021 CardioTrials

CardioTrials and its intellectual property is owned by Pumping Marvellous Ventures Ltd, registered in England and Wales, registered company number 12790994 which is a trading subsidiary of the Pumping Marvellous Foundation, registered in England and Wales, registered company number 08370761, registered with the Charity Commission for England and Wales, registered charity number 1151848.
Pumping Marvellous Ventures Ltd C/O Pumping Marvellous Foundation, Suite 111, Business First, Millennium City Park, Millennium Road, Preston PR2 5BL
Facebook / Twitter / Instagram / YouTube